In a press release, T-Mobile confirms that it detected a data breach in its systems on January 5th. A “bad actor” managed to steal personal information (but not financial data) from around 37 million customers. This is the eighth T-Mobile data breach since 2018.
The hacker (or group of hackers) obtained customer names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers, and the details related to customer phone plans (such as the number of active lines).
This information could be utilized in identity theft or fraud schemes. So, T-Mobile customers should keep an eye on their bank accounts and credit reports. Note that victims of this breach may be targeted in a phishing attack—please, don’t share personal info on the phone or over email.
But how did this happen? According to T-Mobile, a “bad actor” accessed customer data by exploiting “a single API.” Our friends at TechCrunch dug up T-Mobile’s SEC filing, which states that the breach occurred on November 25th of 2022. T-Mobile didn’t notice the breach until January 5th, more than a month later.
T-Mobile claims that it patched the exploited API within a day of recognizing this breach. The company also apologizes for this problem and says that it will “continue to make substantial, multi-year investments” to strengthen its “cybersecurity program.” Too little, too late, perhaps.
This breach is still under investigation by T-Mobile and the relevant authorities. That said, T-Mobile is currently reaching out to customers who were affected.